Media Statements

Data Breach Notifications Soared Nearly 20 Percent in 2017

PCPD endeavours to assist corporations on privacy management
in view of new overseas regulatory challenges ahead

(14 February 2018)　 The Privacy Commissioner for Personal Data, Hong Kong (the Privacy Commissioner), Mr Stephen Kai-yi WONG, today reported the work of his office in 2017 at the meeting of the Legislative Council Panel on Constitutional Affairs, highlighting the nearly 20% increase in data breach notifications received by the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) last year.  Looking forward, the PCPD will allocate more resources and engage different stakeholders (especially micro, small and medium enterprises) in facilitating their works on personal data protection, so as to nurture an organisational culture of “respecting” personal data privacy. 

2. The numerous leakages of customers’ data due to cybersecurity incidents have been widely reported in recent days. The number of data breach notifications reported to the PCPD has surged by nearly 20%.  The Privacy Commissioner expressed his concern on such a trend, “Data users, regardless of public or private sector, should take all reasonably practicable steps to safeguard personal data held by them.  We are pleased to see that more and more organisations are willing to follow our recommendations to notify us of a data breach incident voluntarily. It is a good practice to report the incident to the PCPD the soonest in order to handle the incident properly.  The PCPD will put more efforts on facilitating businesses in safeguarding and managing personal data. We will join hands with different stakeholders like trade associations and professional organisations to reinforce promotional and educational works with an aim to raising awareness of data protection (in particular, micro, small and medium enterprises) and nurturing an organisational culture of ‘respecting’ personal data privacy.  We will also encourage businesses to build their own ‘Privacy Management Programme’, so as to embrace personal data privacy protection as part of their corporate governance responsibilities.”

3. The Privacy Commissioner said, “The PCPD continues to enhance the public awareness of personal data protection through promotion and education activities. We also keep abreast of the latest privacy related issues and release timely media statements and responses to address public concerns; corporations and organisations can hence also keep vigilant in protecting personal data privacy."

4. The Privacy Commissioner added, “Given its irreplaceable attributes in respect of the free flow of information as well as its data protection law and framework, Hong Kong is well poised to become the premier data hub for hosting and storage services under ‘One Country, Two Systems’ and opportunities arising from the Belt and Road initiative. It can also help promote the Guangdong-Hong Kong-Macao Bay Area development by facilitating transfer and storage of data, connecting and converging ideas and information between the mainland of China and the rest of the world. On the other hand, with data as the new currency in the digital era, one of the data sources is our digital footprints left with our online activities. The powerful capability of data collection in this big data era has increased the risks of privacy intrusion. The ubiquity of data collection and the unpredictability of data use also make our work on protection of personal data more challenging than ever. The PCPD will proactively assist local data users in understanding and complying with data protection regimes overseas (especially the European Union General Data Protection Regulation (GDPR) to be enacted in May this year), and duly consider the need to establish a comparable framework and mechanism interoperable with international data protection authorities without compromising economic and technological development.”

The highlights of the PCPD's performance in 2017 are outlined as follows:

Enquiries

5.  In 2017, the PCPD received a total of 15,594 enquiries, which represented a decrease of 3.6% as compared with 16,180 enquiries in 2016. The enquiries mainly related to the collection and use of personal data (e.g. Hong Kong Identity Card numbers or copies) (30%), employment (11%), and use of personal data in direct marketing (DM) (7%).

6.  Internet-related enquiries have increased by 19% from 885 cases in 2016 to 1,057 cases in 2017. They were mainly concerned with cyber-profiling, mobile apps and cyber-bullying.
 
Complaints

7.  In 2017, the PCPD received 3,501 complaints, which included 1,968 complaints relating to the reported loss of laptops containing personal data of election committee members and electors by the Registration and Electoral Office (the REO incident).  Taking out the REO incident, the PCPD received 1,533 complaints in 2017, which represented a decrease of 17% as compared with the 1,838 complaints in 2016.
   
8.  Of those 1,533 complaint cases received:

• 64% were made against the private sector (987 cases), 20% against the public sector / government departments (297 cases) and 16% against individuals (249 cases);
• Among the private sector organisations, the financial industry received the highest number of complaints (210 cases), followed by property management (122 cases) and telecommunications (79 cases);
• Regarding the nature of the 1,533 complaints, 41% related to the use of personal data without the consent of data subjects (632 cases), 34% related to the purpose and manner of data collection (519 cases), 14% related to the security of personal data (207 cases) and 8% related to data access / correction requests (122 cases).

Electioneering

9.  In 2017, a total of 1,974 electioneering-related complaints were received, the majority (1,968 cases) of which related to the REO incident. The remaining six complaints were lodged against candidates, an industry organisation and a government department about their collection, use and security of personal data.

10. Having noted the increase of electioneering-related complaints and the imminent Legislative Council by-election, the PCPD revised and issued a comprehensive guidance entitled Guidance on Election Activities for Candidates, Government Departments, Public Opinion Research Organisations and Members of the Public in December 2017 to assist candidates and their affiliated political bodies, government departments and public opinion research organisations in complying with the requirements under the Personal Data (Privacy) Ordinance (the Ordinance) when carrying out election activities. It also provides advice to members of the public on the personal data protection in this regard. By making references to past complaint cases handled by the PCPD, data protection issues across different stages of election are examined and requirements under the Ordinance are explained in plain language.

Use of Information and Communications Technology ("ICT")

11. In 2017, the PCPD received 237 ICT-related privacy complaints, which represented an increase of 3%, as compared with 229 cases in 2016. Common issues (there may be more than one issue involved in a complaint) in this category included the use of mobile apps and social networking websites (171 cases), the disclosure or leakage of personal data on the Internet (65 cases), and cyber-bullying (50 cases).

12.  Last year, the PCPD issued the Physical Tracking and Monitoring Through Electronic Devices information leaflet and its infographic to highlight the possible risks of personal data privacy associated with physical tracking or monitoring through electronic devices.  It also suggests best practices in carrying out privacy impact assessments for any relevant tracking or monitoring projects, and provides data protection recommendations for the manufacturers of electronic devices. The PCPD also produced the Protect, Respect Personal Data – Smart Use of Internet of Things infographic to provide six practicable tips for users of Internet of Things devices, and revised the Cyber-bullying – What you need to know leaflet to remind the members of the public of the privacy and legal issues involved in cyber-bullying via various examples.

Use of CCTV

13.  In 2017, the PCPD received 197 complaints relating to CCTV. 113 of these cases related to the CCTV footage leakage incident of the Education University of Hong Kong (EdUHK incident).  Taking out the EdUHK incident, the PCPD received 84 complaints in 2017, as compared with the 82 complaints in 2016.

14.  The PCPD revised the Guidance on CCTV Surveillance and Use of Drones and produced a related infographic entitled CCTV Surveillance & Use of Drones in 2017 to offer advice to data users how to use CCTV responsibly from the perspective of personal data privacy protection.

Direct Marketing

15.  In 2017, the PCPD received 186 DM-related complaints, which represented a decrease of 53% as compared with 393 cases (88 of them were filed by the same complainant) in 2016.  Common issues in this category included the use of personal data for DM without obtaining the data subject’s consent or failing to observe his opt-out request.

16.  Since the new direct marketing regulatory regime took effect on 1 April 2013 under the Personal Data (Privacy) (Amendment) Ordinance 2012, as of 31 December 2017, a total of ten cases that were referred to the Police for criminal investigation had resulted in convictions. There were three convictions in 2017:

January 2017	A bank failed to comply with customer’s opt-out request to cease using his personal data in direct marketing	Fined HK$10,000
November 2017	A financial consultant of a financial services company used the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, and failed to inform the data subject, when using his personal data in direct marketing for the first time, of his right to request not to use his personal data in direct marketing without charge	Fined HK$10,000 in respect of each charge; HK$20,000 in total
December 2017	A fitness company failed to comply with customer’s opt-out request to cease using his personal data in direct marketing	Fined HK$7,000

17.  The PCPD also submitted responses to the Consultation on Strengthening the Regulation of Person-to-Person Telemarketing Calls proposed by the Commerce and Economic Development Bureau in July 2017.

Data Breach Notifications, Compliance Checks and Compliance Investigations

18.  In 2017, 106 data breach incidents were reported to the PCPD, which represented an increase of 19% as compared with 89 incidents in 2016. As the REO incident in 2017 affected 3.78 million individuals, the number of affected individuals increased significantly from 104,000 in 2016 to 3.87 million in 2017. Taking out the REO incident, the number of affected individuals dropped to 86,000, which represented a decrease of 17% as compared with 2016. The data breach incidents involved the loss of documents or portable devices, inadvertent disclosure of personal data by fax, email or post, hacking, and system misconfiguration, etc.

19.  The PCPD completed 253 compliance checks and one compliance investigation in 2017, as compared with 259 compliance checks and four compliance investigations in 2016.

Inspection

20.  In December 2017, the PCPD released an inspection[1] report on the personal data system of an estate agency, and proposed in the report a number of recommendations and good practices based on the elements of a comprehensive privacy management programme for the industry to consider.

Enforcement Action and Prosecution

21.  In 2017, the PCPD issued 26 warnings and three enforcement notices on data users as compared with 36 warnings and six enforcement notices in 2016.
 
22.  During the same period, 19 cases were referred to the Police for criminal investigation and prosecution (as compared with 112 cases in 2016, 88 of them were filed by the same complainant), of which the majority (18 cases) related to contraventions involving the use of personal data in DM.

23.  The total number of prosecution cases in 2017 was four (five in 2016), all of which were referred by the PCPD to the Police between 2015 and 2016. All defendants in the four cases were convicted, including a company director who failed to comply with a summons issued by the Privacy Commissioner. The other three convictions concerned the use of personal data in DM.

Legal Assistance Scheme

24.  Under the Legal Assistance Scheme, the PCPD may provide assistance to a person who has suffered damage by reason of a contravention of a requirement under the Ordinance by a data user and intends to institute proceedings to seek compensation from the relevant data user. In 2017, the PCPD processed 16 applications for legal assistance. Of these applications, two were granted with legal assistance, six were rejected, four were withdrawn by the applicants and four are being considered.
 
The Administrative Appeals Board (AAB) Cases

25.  A total of 25 appeal cases were received last year. Of these cases, 18 appeals were against the Privacy Commissioner’s decision for not carrying out or terminating a formal investigation, one appeal was not accepted as a complaint case under section 37 of the Ordinance, four appeals were against the Privacy Commissioner’s decision for not serving an enforcement notice after the investigation. The remaining two appeals were against the Privacy Commissioner’s decision for serving an enforcement notice after the investigation.

26.  A total of 22 appeals were concluded in 2017, 12 of which were dismissed by the AAB and nine were withdrawn by the appellants. One appeal was partly allowed. Over 95% of the appeals were eventually dismissed by the AAB or withdrawn by the appellants.

International and Mainland Connections

27.  The PCPD took advantage of its respectable role in Asia in the past year to engage in different regional and international forums, share its experience and insights in data protection and pick the brains of others. For example, the PCPD has been the executive member of the International Conference of Data Protection and Privacy Commissioners, the Global Privacy Enforcement Network and the Asia Pacific Privacy Authorities (APPA). In APPA, the PCPD is also the convenor of its Technology Working Group. The PCPD also participated in a number of conferences both in the mainland and overseas in 2017 to share experience and build connections with our working partners.

Media

28.  In 2017, the PCPD issued 30 media statements and responded to 217 media enquiries. 54 media interviews were conducted, which included data breach incidents or hacking activities (45.6%), CCTV/drones-related (10.6%), and mobile apps and DM (8.7%).

Promotion and Public Education

29.  In 2017, the PCPD conducted 314 professional workshops, talks, seminars and meetings with stakeholders, with a total of 25,038 participants coming from over 430 organisations. 51,050 training hours were recorded. The number of in-house seminars organised upon invitation was 106, the highest number in the past five years, with a total of 16,740 training hours. In addition, the Privacy Commissioner was invited to speak and share views on how to strike the right balance between personal data protection and the free flow of information at 135 presentations, seminars, talks and meetings with stakeholders throughout the year, amounting to 25,482 training hours. In 2017, the PCPD also published and revised 13 publications, including guidelines, information leaflets, infographics and annual report, aiming to assist various organisations and industries to understand and comply with the Ordinance and to implement the best practices, and also provide practical tips on privacy protection to members of the public.

30.  In 2017, a total of 17 general promotional and education programmes were organised to meet the various needs of individuals (including students and elderly) and organisations, reaching 258,147 participants. Promotion of youth privacy has always been one of the PCPD’s priorities. A record-high of 132 schools joined the 2017 “Student Ambassador for Privacy Programme” and became our school partners, with a total of 25,925 participants, being the highest number ever since the Programme was launched. Sixteen educational talks to senior citizens were also held last year in collaboration with elderly-serving non-government organisations to help senior citizens recognise potential data privacy risks and share with them the tips on personal data protection in daily life. These talks were attended by 1,120 elderly. For the business sector, the PCPD enhanced the information provided on its main website for small-and-medium enterprises and other industries to raise their awareness of privacy issues. The number of participants of Industry-specific Campaigns in 2017 was 2,657, about the same as that of 2015, with 6,382 training hours recorded.

31.  To remind members of the public of the importance of privacy protection in the use of ICT, the PCPD launched a new series of educational animated videos in the first quarter of 2017 entitled “Think Privacy! Be Smart Online”, including TV Announcement in the Public Interest (API) and a series of animated videos illustrating how personal data privacy right can be protected in our daily life. Topics of these videos were “Use mobile apps wisely”, “Managing online accounts and passwords”, “Webcam” and “Privacy check-up at social media”.

32.  As one of the major channels to reach out to the community, the PCPD continued to strengthen and improve the information provided on its main website (PCPD.org.hk) and two thematic websites, “Be SMART Online” and “Children Privacy” in 2017.

Key Issues in 2017

The REO incident:

33.  The Privacy Commissioner carried out an investigation on the incident. The investigation showed that REO simply followed past practices in its assessment and approval of the use of an enquiry system containing the Electors’ data. The claimed effectiveness of the need for storing personal data of all Electors was not proportional to the associated risks. Hence it was concluded that the REO contravened Data Protection Principle (DPP) 4(1) of the Ordinance. The Privacy Commissioner published the investigation report on 12 June 2017 and issued an enforcement notice to the REO. The REO had complied with the Enforcement Notice as scheduled.

The EdUHK incident:

34.  The Privacy Commissioner completed a compliance check on the EdUHK incident. The compliance check revealed that, the EdUHK failed to take all reasonably practicable steps to safeguard the personal data of the two persons who had posted a certain banner on the campus Democracy Wall, thereby contravening DPP 4 of the Ordinance. The Privacy Commissioner had requested the EdUHK to take appropriate remedial measures to prevent recurrence of such a data leakage incident.

The 39th International Conference of Data Protection and Privacy Commissioners:

35.  The PCPD hosted the 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC) from 25 to 29 September 2017. With the theme “Connecting West with East in Protecting and Respecting Data Privacy”, the Conference attracted more than 750 representatives from data protection authorities, the Government and business leaders, information and communications technology professionals, academia and privacy advocates from Hong Kong and over 60 countries or regions for in-depth discussions on emerging issues on data protection, exchanging innovative strategies and ideas as well as addressing future challenges.

36.  The five-day Conference consisted of 14 closed sessions for the ICDPPC accredited members and observers, and 15 open sessions attended by all in the data protection community. 25 side events were also organised by some 30 corporations and organisations in the privacy community, offering participants the updates on the latest development of various data protection subjects as well as platforms for exchanging views, sharing experiences and discussing strategies for the ways forward. A total of more than 10,000 training / publicity / education hours were recorded.

Comparative study on the GDPR and the Ordinance:

37.  In May 2016, the European Union enacted its new data protection law, the GDPR, which will become effective in 25 May 2018. The PCPD is concluding a comparative study on the GDPR and the Ordinance with a view to identifying the differences. Since November 2017, the PCPD has carried out educational activities to raise public awareness on the GDPR. The PCPD plans to publish in the first quarter of 2018 an Information Leaflet to assist local corporations in understanding the possible impact of GDPR on the business environment.

Chinese Book entitled “Watch out! This is My Personal Data Privacy”:

38.  Following the publication of the book entitled “Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance” in English in 2016, the PCPD jointly published with the City University of Hong Kong Press a book in Chinese entitled “Watch out! This is My Personal Data Privacy”, providing a user-friendly guidance on the requirements under the Ordinance, supplemented with inspirational cases, to raise the awareness of the protection of and respect for personal data privacy. A book launch event was held during 2017 Book Fair, in which the Privacy Commissioner hosted the talk and introduced the content of the new book as well as the practical points-to-note in privacy protection.

Participation in the Privacy Sweep Exercise relating to the “User Control over Personal Information”:

39.  The PCPD participated in the global Privacy Sweep of the Global Privacy Enforcement Network for the fifth consecutive year. In May 2017, the PCPD examined 30 customer loyalty and reward programmes selected from various sectors (such as retail, catering, hotel and airlines) to evaluate how well consumers could exercise control over their own personal data. Through the Privacy Sweep, the PCPD sought to encourage programme operators to be frank and transparent with their customers with respect to privacy policy and practice, respect their customers’ right to personal data privacy and allow the customers’ to exercise control over their own personal data (such as request for deletion of data). The PCPD also took the opportunity to educate consumers to consider privacy risks before joining the programmes.

Awards and Recognitions:

40.  Following the awards received from the “Web Accessibility Recognition Scheme” by the PCPD’s websites in 2016, the “Be SMART Online Thematic Website Enhancement” project won the “Use of Online Tools” category award of the Global Privacy and Data Protection Awards organised by International Conference of Data Protection and Privacy Commissioners in 2017.

41.  The Chinese Book entitled “Watch out! This is My Personal Data Privacy” also won the Merit Award of “Mono / Duotone Color Book” Group under “Book Printing” Category of the 29th Hong Kong Print Awards.

42.  The PCPD cares about its staff members with a view to building up a high quality professional team. It was awarded as one of the winners for the “Most Breastfeed-caring Corporate Award” in the “2017 My Favourite Lactation Room Contest” organised by the Hong Kong Breastfeeding Mothers’ Association.

43.  Last year, two PCPD staff members also received Individual Awards for Officers of Public Organisations in The Ombudsman’s Awards 2017 for their outstanding performance in handling enquiries and complaints.

Strategic Focus for 2018

44.  In 2018, the PCPD will take proactive steps to strike the balance between privacy protection and free flow of information, and look closely into the use of ethical framework as an innovative solution to regulate these new disruptive technologies. Special focus will be placed on:

• Engaging the business sector (especially the micro, small and medium size enterprises) in promoting the protection and respect of personal data privacy, with a view to enhancing the culture of respect of personal data privacy in the sector;


• Strengthening the working relationship with the Mainland and overseas data protection authorities, and explaining the newly implemented rules and regulations on data protection of other jurisdictions to the local stakeholders for compliance with the requirements; and


• Providing advice to the Government on initiatives involving personal data privacy.